Satellite communications giant Viasat on Wednesday shared new information from its investigation into the February cyberattack that took down service for broadband customers in Ukraine and across Europe. The company confirmed the "multifaceted and deliberate" attack impacted "several thousand" customers in Ukraine and tens of thousands of other fixed broadband customers across Europe.
The incident against Viasat's KA-SAT network took place on Feb. 24, the same day that Russia invaded Ukraine. According to Viasat's incident summary, a targeted denial of service attack was first detected when high volumes of focused, malicious traffic made it difficult for many modems to remain online. The traffic emanated from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment physically located within Ukraine.
"We believe the purpose of the attack was to interrupt service," Viasat said. "There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised."
The attack was localized to a single, consumer-oriented partition of the KA-SAT network operated on Viasat's behalf by a Eutelsat subsidiary, Skylogic. It didn't impact Viasat's directly managed mobility or government users on the KA-SAT satellite, nor did it affect users on other Viasat networks.
The investigation and forensic analysis of the event identified a ground-based network intrusion by an attacker who gained remote access to the trusted management segment of the KA-SAT network. The attack apparently managed to gain that access by exploiting a misconfiguration in a VPN appliance. The attacker used their network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously.
Viasat said that it's still working with the wholesale distributors of its services to bring their customers back online. Some customer modems promptly received over-the-air updates, while other customers are getting new modems entirely. Viasat has already shipped tens of thousands of replacement modems to distributors, the company said.
The California-based company said it's working with Eutelsat/Skylogic, as well as the cybersecurity firm Mandiant and law enforcement and government agencies, to continue its investigation into the attack.